3

I have created rest APIs for my Android App. All APIs are protected using OAuth2 (password grant_type).

User provides the username & password and server verifies the credentials and issues access_token and refresh_token which then can be used for calling APIs.

Now the problem here is that APIs are public and open to everyone. How can I verify that only calls generated from My Apps are honored.

Scenario: XYZ is a user of My App and also a very good developer. He was curious enough to figure out how my app and apis are interacting. Now he is also a bit ambitious (i guess) and decides to create his own android app (similar to my app) and uses my rest APIs. How can I secure my APIs against this usage?

I looked over few other posts but I didn't find anything useful to protect my APIs from such usage.

behinddwalls
  • 584
  • 9
  • 34
  • If your server has implemented oauth2 as you say then any application would need a client id and client secret to access your api.. – akash93 Jan 06 '17 at 03:31
  • As I am not allowing others to create apps based on my APIs. My APP will have the clientId and that will be used to verify the app but that clientId can be discovered if someone decompile my apk to source code. Now if someone has discovered clientId, then he can create an app to do the same thing which my app does. – behinddwalls Jan 06 '17 at 03:35
  • It's impossible to make your client unbreakable but you can refer to this for a few ways to make it more difficult https://stackoverflow.com/questions/14570989/best-practice-for-storing-private-api-keys-in-android – akash93 Jan 06 '17 at 03:55

1 Answers1

2

What you are trying to do is impossible, at least from an engineering standpoint. You can use various tools to obfuscate the secrets stored in your application (e.g. ProGuard), but ultimately, no matter what mechanism you use to obfuscate your secrets, they must be accessible to the device that uses them. You could also take other steps to increase the time required to reverse engineering your application, such as frequently changing your API in ways that are likely to break reverse-engineered clients, or pushing mandatory updates that change the secrets and the mechanism used to obfuscate those secrets.

Nevertheless, no matter what you do, a sufficiently motivated user will be able to obtain any secret you distribute in your application.

Legally, you have more options. You may be able to make it impossible to legally access your API from an unauthorized application by using an appropriate EULA; see Blizzard v BnetD. If you own the copyright on the data your service provides, you may be able to prevent third-parties from reproducing it elsewhere without your permission, or charge them for doing so. There are probably other legal options too; you would need to consult a lawyer.

But why bother? Before you begin down this path, perhaps you should ask yourself why you are trying to prevent other applications from accessing your API in the first place. If users find your service valuable but are sufficiently unhappy with the client you provide that they are willing to install a third-party application to access your service, perhaps you should focus on improving your own client, rather than forcing your users to use a client they clearly do not prefer.

Jason Hoetger
  • 5,650
  • 2
  • 13
  • 14